PSJailBreak Reverse Engineered, Requires Hardware to Update

We have the PSJailbreak dongle yet again brought out of retirement to put it more precisely Herbs to take a closer look. We tell you here in brief the main steps of the internal process of PSJailbreak.

We can confirm that it can not confirm that PSJailbreak a clone of Sony's "Jig" is module. We can confirm that it can not confirm that a clone of PSJailbreak Sony's "Jig" is module. PSJailbrak is an exploit honest self-developed. PSJailbrak exploit is an honest self-developed. The chip is not but a PIC18F444 ATMega with software USB. The chip is not but a PIC18F444 ATMega with software USB. This means the chip is internally capable of USB to emulate.

This means the chip is internally capable of USB to emulate. PSJailbreak mainly be emulated 6Port a USB hub connected to a specific end USB devices and then disconnected. PSJailbreak mainly be emulated 6Port a USB hub connected to a specific end USB devices and then disconnected. One of these devices has the ID of Sony's "Jig" module, which means that played in the development of PSJailbreaks the "Jig" module, a certain role. One of these devices has the ID of Sony's "Jig" module, which means that played in the development of PSJailbreaks the "Jig" module, a certain role.

But let's start at the front: When the PS3 is clamped in the USB emulation device, which has a much too big Configuration Descriptor. But let's start at the front: When the PS3 is clamped in the USB emulation device, which has a much too big Configuration Descriptor. This Descriptor überschriebt the stack with a PowerPC contained code that is executed.

This Descriptor überschriebt the stack with a PowerPC contained code that is executed. Now, various USB devices are connected in the emulation. Now, various USB devices are connected in the emulation. A device has a large 0xAD Descriptor, which is part of the exploit and contains static data. A device has a large 0xAD Descriptor, which is part of the exploit and contains static data. A short time later (we are moving here in Milisekundenbereich) the jig module is connected, and encrypted data are transmitted to the module jig.

A later short time (we are moving here in Milisekundenbereich) the jig module is connected, and encrypted data are transmitted to the module jig. A (in Milisekundenbereich) eternity later, the answers Jig 64Byte module with static data, all USB devices are disconnected, a new USB device is connected and the PS3 launches with a new look. A (in Milisekundenbereich) eternity later, the answers Jig 64Byte module with static data, all USB devices are disconnected, a new USB device is connected and the PS3 launches with a new look.

64Byte static data that is emulated by the PS3 64Byte Jig sent to the static data that is emulated by Jig sent to the PS3

Extract from the USB stream Extract from the USB stream

Incidentally PSJailbreak is NOT updateable. Incidentally PSJailbreak is NOT updateable. The Update feature can be mentioned, if realized at all, only with additional hardware. The Update feature can be mentioned, if realized at all, only with additional hardware.

We took the PSJailbreak dongle out of the drawer again to examine it a bit more in detail. Now we´ll give you a short explaination on the important steps that take place inside of the dongle.

We can confirm that PSJailbreak is in fact no simple clone of Sony´s “Jig” modul, instead it´s an honest, self developed exploit. The Chip inside is no PIC18F444 but an ATMega with USB-software. That means that the chip is capable of internal USB emulation. PSJailbreak mainly emulates a 6-port USB-hub to that several USB-devices get connected and disconnected in a speciffic sequence. One of these devices has the ID of Sony´s “Jig” modul, so that means that the “Jig” played a certain role during the development of PSJailbreak.

But first things first: When switching the PS3 on, a device is connected within the USB-emulation, which has a too large configuration descriptor. This discriptor overwrites the stack with contained PowerPC-code that is executed. Now various other devices get connected within the emulation. One device has a 0xAD large descriptor that is part of the exploit and contains static data. Short time later (we´re talking about milliseconds here) the “Jig” gets connected and encrypted data is sent to the “Jig”.
An eternity later (in milliseconds that is) the “Jig” answers with 64Bytes of static data, all USB-devices get disconnected, a new device is connected and the PS3 restarts in a new look.

By the way: The PSJailbreak is not updateable. The noted update-feature can, if at all, only be carried out with additional hardware.